cri-o · saschagrunert · Aug 13, 2025 · Aug 7, 2025
@@ -21,7 +21,7 @@ require (
 	github.com/containernetworking/plugins v1.7.1
 	github.com/containers/common v0.64.1
 	github.com/containers/conmon v2.0.20+incompatible
-	github.com/containers/conmon-rs v0.7.1
+	github.com/containers/conmon-rs v0.7.2
 	github.com/containers/image/v5 v5.36.1
 	github.com/containers/kubensmnt v1.2.0
 	github.com/containers/ocicrypt v1.2.1

@@ -104,8 +104,8 @@ github.com/containers/common v0.64.1 h1:E8vSiL+B84/UCsyVSb70GoxY9cu+0bseLujm4EKF
 github.com/containers/common v0.64.1/go.mod h1:CtfQNHoCAZqWeXMwdShcsxmMJSeGRgKKMqAwRKmWrHE=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
-github.com/containers/conmon-rs v0.7.1 h1:moyLfCU6tmu7hDAxJXLp225HXLLN0jPa/9ZyOB+mC1k=
-github.com/containers/conmon-rs v0.7.1/go.mod h1:htNM9ZwmApnrxCDfX6EdCQG1G1pZTTAvEm9sY2+FiOo=
+github.com/containers/conmon-rs v0.7.2 h1:FwBHa0v3Cb6WvrXqiLmQ67WGcDY8SaFlhSKck4g2eKU=
+github.com/containers/conmon-rs v0.7.2/go.mod h1:KphPSdEB/4XnEAaNMJavrGYg0+KHX9hx50LeKm4QaSY=
 github.com/containers/image/v5 v5.36.1 h1:6zpXBqR59UcAzoKpa/By5XekeqFV+htWYfr65+Cgjqo=
 github.com/containers/image/v5 v5.36.1/go.mod h1:b4GMKH2z/5t6/09utbse2ZiLK/c72GuGLFdp7K69eA4=
 github.com/containers/kubensmnt v1.2.0 h1:BDtkaOFQ5fN7FnB9kC6peMW50KkwI1KI8E9ROBFeQIg=

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"path/filepath"
+	"strings"
 	"syscall"
 
 	"github.com/containers/common/pkg/resize"
@@ -59,10 +60,38 @@ func newRuntimePod(r *Runtime, handler *config.RuntimeHandler, c *Container) (Ru
 		cgroupManager = conmonClient.CgroupManagerCgroupfs
 	}
 
+	heaptrack := &conmonClient.Heaptrack{}
+	logDriver := conmonClient.LogDriverNone
+
+	for _, env := range handler.MonitorEnv {
+		keyVal := strings.SplitN(env, "=", 2)
+		if len(keyVal) != 2 {
+			logrus.Warnf("Skipping monitor env %q because it is not in key=value format", env)
+
+			continue
+		}
+
+		switch keyVal[0] {
+		case "LOG_DRIVER":
+			logDriver = conmonClient.LogDriver(keyVal[1])
+
+		case "HEAPTRACK_OUTPUT":
+			heaptrack.Enabled = true
+			heaptrack.OutputPath = filepath.Join(keyVal[1], "cri-o.conmon-rs."+c.ID())
+
+		case "HEAPTRACK_BINARY_PATH":
+			heaptrack.Enabled = true
+			heaptrack.BinaryPath = keyVal[1]
+
+		default:
+			logrus.Warnf("Unknown monitor env option %q", env)
+		}
+	}
+
 	client, err := conmonClient.New(&conmonClient.ConmonServerConfig{
 		ConmonServerPath: handler.MonitorPath,
 		LogLevel:         conmonClient.FromLogrusLevel(logrus.GetLevel()),
-		LogDriver:        conmonClient.LogDriverSystemd,
+		LogDriver:        logDriver,
 		Runtime:          handler.RuntimePath,
 		ServerRunDir:     c.dir,
 		RuntimeRoot:      runRoot,
@@ -72,6 +101,7 @@ func newRuntimePod(r *Runtime, handler *config.RuntimeHandler, c *Container) (Ru
 			Enabled:  r.config.EnableTracing,
 			Endpoint: "http://" + r.config.TracingEndpoint,
 		},
+		Heaptrack: heaptrack,
 	})
 	if err != nil {
 		return nil, err

@@ -1290,6 +1290,11 @@ const templateStringCrioRuntimeRuntimesRuntimeHandler = `# The "crio.runtime.run
 #   should be moved to the container's cgroup
 # - monitor_env (optional, array of strings): Environment variables to pass to the monitor.
 #   Replaces deprecated option "conmon_env".
+#   When using the pod runtime and conmon-rs, then the monitor_env can be used to further configure
+#   conmon-rs by using:
+#     - LOG_DRIVER=[none,systemd,stdout] - Enable logging to the configured target, defaults to none.
+#     - HEAPTRACK_OUTPUT=/path/to/dir - Enable heaptrack profiling and save the files to the set directory.
+#     - HEAPTRACK_BINARY_PATH=/path/to/heaptrack - Enable heaptrack profiling and use set heaptrack binary.
 # - platform_runtime_paths (optional, map): A mapping of platforms to the corresponding
 #   runtime executable paths for the runtime handler.
 # - container_min_memory (optional, string): The minimum memory that must be set for a container.

@@ -11,6 +11,7 @@ sudo apt update
 sudo apt install -y \
     autoconf \
     automake \
+    cgroup-tools \
     conmon \
     criu \
     libaio-dev \

@@ -0,0 +1,122 @@
+#!/usr/bin/env bats
+# vim:set ft=bash :
+
+load helpers
+
+function setup() {
+	setup_test
+}
+
+function teardown() {
+	cleanup_test
+}
+
+function run_test() {
+	CTR_CNT=$1
+	EXEC_CNT=$2
+
+	declare -A RUNTIME_MEMORY=(
+		["conmon"]=0
+		["conmonrs"]=0
+	)
+	declare -A CRIO_MEMORY=(
+		["conmon"]=0
+		["conmonrs"]=0
+	)
+	setup_crio
+
+	for RUNTIME in "${!RUNTIME_MEMORY[@]}"; do
+		RUNTIME_TYPE=oci
+		if [[ $RUNTIME == conmonrs ]]; then
+			RUNTIME_TYPE=pod
+		fi
+
+		MONITOR_PATH="$(command -v "$RUNTIME")"
+		cat << EOF > "$CRIO_CONFIG_DIR/99-runtimes.conf"
+[crio.runtime]
+default_runtime = "$RUNTIME"
+
+[crio.runtime.runtimes.$RUNTIME]
+runtime_path = "$RUNTIME_BINARY_PATH"
+runtime_type = "$RUNTIME_TYPE"
+monitor_path = "$MONITOR_PATH"
+EOF
+		unset CONTAINER_DEFAULT_RUNTIME
+		unset CONTAINER_RUNTIMES
+
+		start_crio_no_setup
+
+		CGROUP=crio-test-$CRIO_PID
+		CGROUP_CONTROLLER=memory
+
+		cgcreate -g "$CGROUP_CONTROLLER:$CGROUP"
+		cgclassify -g "$CGROUP_CONTROLLER:$CGROUP" "$CRIO_PID"
+
+		SBOX_ID=$(crictl runp "$TESTDATA/sandbox_config.json")
+
+		# Run multiple containers under the same sandbox
+		for ((k = 0; k < CTR_CNT; k++)); do
+			jq '.metadata.name = "ctr-'$k'"' "$TESTDATA/container_sleep.json" > "$TESTDIR/ctr.json"
+			CTR_ID=$(crictl run "$TESTDIR/ctr.json" "$TESTDATA/sandbox_config.json")
+
+			for ((i = 0; i < EXEC_CNT; i++)); do
+				crictl exec --sync "$CTR_ID" ps aux
+			done
+		done
+
+		CRIO_MEMORY[$RUNTIME]=$(cat "/sys/fs/cgroup/$CGROUP/memory.current")
+
+		# Accumulate the conmon/-rs memory
+		SCOPES=$(grep 'Running conmon under slice' "$CRIO_LOG" | sed -n 's;.*\(crio-conmon-.*\.scope\).*;\1;p')
+		for SCOPE in $SCOPES; do
+			MEMORY_BYTES=$(systemctl show -p MemoryCurrent "$SCOPE" | sed -n 's;.*\=\([0-9]\+\).*;\1;p')
+			RUNTIME_MEMORY[$RUNTIME]=$((MEMORY_BYTES + ${RUNTIME_MEMORY[$RUNTIME]}))
+		done
+
+		cgdelete "$CGROUP_CONTROLLER:$CGROUP"
+		crictl rmp -f "$SBOX_ID"
+		truncate -s0 "$CRIO_LOG"
+		stop_crio_no_clean
+	done
+
+	printf "\nTest results using %d containers and %d execs per container:\n" "$CTR_CNT" "$EXEC_CNT" >&3
+	printf "conmon:\t\t%dkb\tconmonrs:\t\t%dkb\t(diff: %dkb)\n" \
+		$((RUNTIME_MEMORY["conmon"] / 1024)) \
+		$((RUNTIME_MEMORY["conmonrs"] / 1024)) \
+		$(((RUNTIME_MEMORY["conmonrs"] - RUNTIME_MEMORY["conmon"]) / 1024)) >&3
+
+	printf "CRI-O (conmon):\t%dkb\tCRI-O (conmonrs):\t%dkb\t(diff: %dkb)\n" \
+		$((CRIO_MEMORY["conmon"] / 1024)) \
+		$((CRIO_MEMORY["conmonrs"] / 1024)) \
+		$(((CRIO_MEMORY["conmonrs"] - CRIO_MEMORY["conmon"]) / 1024)) >&3
+
+	printf "Both (conmon):\t%dkb\tBoth (conmonrs):\t%dkb\t(diff: %dkb)\n\n" \
+		$(((RUNTIME_MEMORY["conmon"] + CRIO_MEMORY["conmon"]) / 1024)) \
+		$(((RUNTIME_MEMORY["conmonrs"] + CRIO_MEMORY["conmonrs"]) / 1024)) \
+		$((((RUNTIME_MEMORY["conmonrs"] + CRIO_MEMORY["conmonrs"]) - (RUNTIME_MEMORY["conmon"] + CRIO_MEMORY["conmon"])) / 1024)) >&3
+
+}
+
+@test "compare conmon vs conmonrs using a single container without exec" {
+	run_test 1 0
+}
+
+@test "compare conmon vs conmonrs using a single container with exec" {
+	run_test 1 50
+}
+
+@test "compare conmon vs conmonrs using five containers in a pod without exec" {
+	run_test 5 0
+}
+
+@test "compare conmon vs conmonrs using five containers in a pod with exec" {
+	run_test 5 50
+}
+
+@test "compare conmon vs conmonrs using fifty containers in a pod without exec" {
+	run_test 50 0
+}
+
+@test "compare conmon vs conmonrs using fifty containers in a pod with exec" {
+	run_test 50 50
+}
@@ -39,7 +39,7 @@

 # Only run critest if requested
 if [[ "$RUN_CRITEST" == "1" ]]; then
    TESTS=(critest.bats)
 fi

 # The number of parallel jobs to execute tests
@@ -51,4 +51,4 @@
 bats --version
 
 # Run the tests.
-execute bats --jobs "$JOBS" --tap "${TESTS[@]}"
+execute bats --jobs "$JOBS" --tap conmon-vs-conmonrs.bats
@@ -286,7 +286,7 @@ github.com/containers/common/version
 # github.com/containers/conmon v2.0.20+incompatible
 ## explicit
 github.com/containers/conmon/runner/config
-# github.com/containers/conmon-rs v0.7.1
+# github.com/containers/conmon-rs v0.7.2
 ## explicit; go 1.24.0
 github.com/containers/conmon-rs/internal/proto
 github.com/containers/conmon-rs/pkg/client